Amazon Linux 2023 Security Advisory: ALAS2023-2026-1872
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
FAQs regarding Amazon Linux ALAS/CVE Severity
gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries are deferred and created after regular files using a single shared gix_worktree::Stack. Internally, this uses a gix_fs::Stack. gix_fs::Stack::make_relative_path_current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs invokes only delegate.push_directory(), never delegate.push(). In gix_worktree::stack::delegate::StackDelegate, when the state member is State::CreateDirectoryAndAttributesStack, Attributes::push_directory() only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk symlink_metadata() check and unlink-on-collision live in StackDelegate::push()'s invocation of create_leading_directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plain std::os::unix::fs::symlink, which follows symlinks in parent directories. Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. This vulnerability is fixed in 0.21.1. (CVE-2026-44471)
Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. (CVE-2026-5222)
A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue. (CVE-2026-7598)
Affected Packages:
rust-cargo-c
Issue Correction:
Run dnf update rust-cargo-c --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1872 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
cargo-c-debuginfo-0.10.19-1.amzn2023.0.3.aarch64
cargo-c-0.10.19-1.amzn2023.0.3.aarch64
rust-cargo-c-debugsource-0.10.19-1.amzn2023.0.3.aarch64
src:
rust-cargo-c-0.10.19-1.amzn2023.0.3.src
x86_64:
cargo-c-debuginfo-0.10.19-1.amzn2023.0.3.x86_64
cargo-c-0.10.19-1.amzn2023.0.3.x86_64
rust-cargo-c-debugsource-0.10.19-1.amzn2023.0.3.x86_64